| Oracle® Retail Predictive Application Server Cloud Edition Administration Guide Release 22.2.401.0 F72005-01 |
|
 Previous |
 Next |
| Oracle® Retail Predictive Application Server Cloud Edition Administration Guide Release 22.2.401.0 F72005-01 |
|
Previous |
Next |
This chapter addresses user administration tasks.
Atomic User Management (AUM) simplifies the user management process for RPASCE and allows the customer to maintain RPASCE application users and groups in one place only, namely, OCI IAM. This is outside the application and probably shared by multiple applications belonging to same customer. This feature enables the customer to manage RPASCE application access control in the way customary to most web applications, and in a less error-prone manner.
AUM feature highlights include:
The customer can create or delete users only in the OCI IAM. There is no need to administer users in the application separately.
The customer can assign access rights to the users through OCI IAM groups that have matching counterparts in the application.
The users inherit the access rights from its groups in real time. That is, if a user is moved between groups in OCI IAM, the access rights of the user will change immediately upon the next login.
The RPASCE administrative users in the application are mapped to a designated group in the OCI IAM. Any user in that OCI IAM group will automatically become an RPASCE administrator when that user logs in. The name convention for this group is {APPCODE}_ADMIN_{ENV}. For example, MFPRCS_ADMIN_PROD is used for the administrative users in the MFPRCS application in production environment.
When a user logs in, if the user does not exist in the application, the user is automatically created in the application by AUM, with matching group assignments to that in the OCI IAM. If the user's group assignments have changed in the OCI IAM, when the user logs in the next time, the group assignments in the application will be changed to match that in the OCI IAM. If a user's assignment to the designated admin group (that is, {APPCODE}_ADMIN_{ENV}) has changed, its administration user status is also changed accordingly when the user logs in the next time.
The default group for new administration users is set to admin (Administrators), and the default group for other new users is set to the first group of that user in OCI IAM. The default group for the existing user will not change unless the user no longer belongs to it. In this case, it will be set in the same way as for a new user, that is, the first group in OCI IAM.
The migration tool Migrate User Groups to IDCS is provided via Online Administration Tools (OAT) to assist in migrating the groups and their memberships in the application to the OCI IAM.
A user maintenance tool Sync Users from IDCS is provided via Online Administration Tools (OAT) to synchronize to the application any authorized users for this application in the OCI IAM.
The User Manager OAT task Manage User can be used to purge these disabled users.
Note that the access rights of workbook templates and measures are still managed as before in the application through the Security Administration Workbook. It is highly recommended that the customer assign access rights to the groups, not the users, in the application. When a user is assigned to the proper groups in the OCI IAM, that user will automatically inherit the access rights from the groups in the application.
Position security is managed through the Security Administration Workbook in RPASCE, and a user's position security is not inherited from its groups. When a new user logs in for the first time, a message is displayed to indicate that additional security configuration is required.
Deactivation of a user is done only in OCI IAM. When a user is deactivated, that user will no longer be able to log into the RPASCE application. The user can be re-activated in OCI IAM and then will again have the permission to log in.
While the user accounts are managed in OCI IAM, groups are set up in both the application and OCI IAM. Some of these groups must be kept in sync and some are only in OCI IAM or the application.
OCI IAM-Only Groups
There are two groups that must only exist in OCI IAM. One is the application authorized group, which is typically named using the naming convention of {APPCODE}_AUTH_{ENV}. For example, MFPRCS_AUTH_PROD for the authorized group of MFPRCS application in the production environment. A user must be in the group in order to be able to log into the application. The other OCI IAM-only group is the RPAS administration group named using the naming convention of {APPCODE}_ADMIN_{ENV}. For example, MFPRCS_ADMIN_STAGE for the RPASCE administration group in the staging environment of the MFPRCS application. Any users in this group will become RPASCE administrative users in the application when they log into the application. When the application is initially provisioned, a default system user is created and assigned to both groups.
Application-Only Groups
There are two default groups in the application that do not exist in the OCI IAM. One is the default user (Default) group, which is a placeholder group for any logged users who have not been assigned an application group in OCI IAM. The other is the built-in administration group admin (Administration) for any RPASCE administrative users.
Migrate Application User Groups to OCI IAM
When the application PDS is built, a post-install script creates pre-defined application user groups automatically, such as MFPRCS_PLANNERS and MFPRCS_APPROVERS. Instead of manually creating these groups in OCI IAM, the default system user can log into the application and run the Migrate User Groups to IDCS OAT task to create these application user groups in OCI IAM, where they can be assigned to the users for this application.
This section describes the AUM utilities.
The OAT task Migrate User Groups to IDCS can be used to migrate the user groups in the RPASCE application to OCI IAM. It provides the flexibility to perform a dry run before the actual migration of users to OCI IAM. If the Commit Changes option is unchecked, the task will generate a dry run execution report. It is recommended that you generate a report first to detect any potential issues before committing the changes. This OAT task is designed to be able to run multiple times without adverse effects.
|
Caution: This utility should only be run in the initial setup of the application and OCI IAM. The group memberships in the application will overwrite what is in the OCI IAM. |
This OAT task is launched from the System Admin Tasks group.
Figure 2-1 Migrate User Groups to OCI IAM Task
The following actions are taken using the Migrate User Groups to OCI IAM task.
If an RPASCE group does not exist in OCI IAM, create it in OCI IAM with the identical name and label. The name will be in uppercase.
If an RPASCE user does not exist in OCI IAM, a warning message will be logged highlighting any users who must be created in OCI IAM to bring RPASCE and OCI IAM in sync.
Compare the group memberships of the application and the OCI IAM and take the following actions:
If a user is in a application group but not in the corresponding OCI IAM group, it will be added to the OCI IAM group.
If a user belongs to a group in OCI IAM, but not to the corresponding group in the application, it will be removed from the group in OCI IAM.
For RPASCE administrative users, assign them to the RPASCE administration group in OCI IAM that is designated by an environment variable. (The naming convention of such group is {APPCODE}_ADMIN_{ENV}, for example, MFPRCS_ADMIN_PROD.) Any non-admin user in the application will be removed from that OCI IAM admin group. This OCI IAM admin group must not exist in the application. For more details about the environment variable, refer to the Implementation Guide of the relevant RPASCE application.
For all RPASCE users in OCI IAM, assign them to the application-authorized group in OCI IAM that is passed by an environment variable. (The naming convention of such group is {APPCODE}_AUTH_{ENV}, for example, MFPRCS_AUTH_PROD.) This application authorized group must be an OCI IAM-only group and must not be in the application. For more details about the environment variable, refer to the Implementation Guide of the relevant RPASCE application.
A new user can been added to OCI IAM and authorized to access the application. Existing authorized users can be modified. An RPASCE user can be deleted from OCI IAM if the user leaves the organization or the team. The OAT task Sync Users from IDCS is provided to synchronize users from OCI IAM to the application. This task can be scheduled to run periodically (such as daily or weekly) to keep the obsolete users in check.
This OAT task synchronizes any authorized users in the OCI IAM to the application and takes the following actions:
New users created in OCI IAM are added to the application with the same attributes.
User name
Label
Administration status of the user that is determined by the OCI IAM group for RPASCE administration (for example, MFPRCS_ADMIN_PROD).
Group memberships for existing application groups.
The default group for new administration users is set to admin (Administrators), and the default group for other new users is the set to the first group of that user in OCI IAM.
Existing users are modified if they have been changed in OCI IAM. Possible changes include:
Label
Administration status
Group memberships
The default group for existing users will not change unless the user is removed from that group in OCI IAM. In this case, it will be changed to the default admin group for the administration user and the first group in OCI IAM for the non-admin user.
Application users who are no longer in the OCI IAM authorized group will be marked for deletion.
Application users who have been marked for deletion will be restored if they again become members of the OCI IAM authorized group
Note that this task disables the access of users to the application if they are deleted in OCI IAM or removed from the authorized group for the application in OCI IAM. The task does not remove a user from the application, but only marks the user for deletion. This feature is provided so that the administrator is able to add the user back to OCI IAM and restore the user in the application if the user is accidently deleted or unauthorized in OCI IAM. The user can be restored in the application by simply logging in again or by running this sync tool again.
For a new user setup, it is recommended that the administrator run this task to create the new users in the application after they are added and/or authorized in OCI IAM. After this, the position security and dashboard can be configured for those new users before their first login.
All users deleted or unauthorized from OCI IAM will be marked for deletion after the Sync Users from IDCS task is run. In order to permanently purge the users marked for deletion from the application along with their workbooks for security compliance or to reclaim space, the option Purge users marked for deletion of the Manage Users OAT task can be used.
A purge age in days parameter is available to control the purging of earlier-deleted users. The purge age refers to the time since the user was marked for deletion by the Sync Users from IDCS OAT task. Note that a user cannot be purged if any of the user's workspaces is shared. In such cases, their shared workspaces must be taken care of before the user is purged.
